Guide to Privacy Law Compliance

Someone needs to be in charge. If your business is a one-person sole proprietorship, then you are in charge. In larger organizations, however, there are typically a number of individual candidates or departments that could take charge of data privacy compliance, including lawyers, information technology staff, human resources and internal audit personnel. Each of these groups tends to have a different approach, strengths and limitations. Here are some factors to consider as you look for the right person or team within the organization:

• Legal. In-house attorneys in corporate legal departments usually take an advisory role and inform others in the organization what applicable laws require, including data privacy laws. Depending on company culture and individual styles, the legal department may advise proactively or upon request. Lawyers are trained to interpret and apply laws, including data privacy laws, but not all lawyers are technology savvy or good project managers.
• Information Technology. Members of the IT department are technology savvy, but may not find it easy to understand and apply laws. IT professionals are trained in deploying and maintaining equipment, software, and services that other groups (human resources, sales, marketing, production, etc.) use to process personal data. The IT department supports these other groups and provides technology that aids other departments' business objectives. The IT department usually establishes and implements protocols to protect personal data from unauthorized access (by deploying data security measures), but does not typically decide on access privileges for individuals or legal compliance matters.
• Compliance. Some companies have separate internal audit functions, which are concerned with monitoring and enforcing compliance with laws and internal policies. Such audit departments are focused on verifying that the rule of law or existing compliance program is adhered to, but audit personnel do not typically define the rules. You lose an extra pair of eyes if you have the same person create and audit a program. Also, when audit personnel conduct investigations, they are at a particularly high risk of violating data privacy laws. Investigators often want to search e-mail boxes, computers and files, interview third parties about suspicious conduct and occasionally intercept live calls and other communications without prior notice to the data subject. Therefore, some companies feel that they would be letting the fox guard the henhouse if they tasked audit staff with designing a privacy compliance program.
• Marketing. Another option is to select individuals from data user groups within a company, such as human resources or marketing. Companies that develop or sell information technology products consider data privacy not only a compliance challenge, but also a business opportunity. For example, cloud computing service providers and enterprise software and data storage providers increasingly consider data privacy laws in the product development process to ensure that their customers can effectively use the products in compliance with applicable laws (“Privacy by Design”). In consumer markets, however, the jury is still out about whether privacy protections are a relevant differentiator ' some believe that consumers just do not care enough.

In larger businesses, the person in charge of data privacy compliance usually comes from any of the above departments or areas of specialization. Larger companies with a great exposure or interest relating to privacy laws may decide to create a new department or office. Smaller companies may find it sufficient to put someone in charge on a part-time basis. If a company has a legal department, attorneys are usually involved in data privacy compliance. Often, legal counsel take the lead regarding data privacy compliance. But the ideal candidate for project management does not necessarily have to be a lawyer, particularly if a company views data privacy more as a business opportunity.